1. Field of the Invention
The present invention relates to the verification of the security settings of software, and more particularly to a security verification method and device that can detect and indicate the presence of composite errors in security settings that can become security holes in software.
2. Description of the Related Art
With the popularization of the Internet in recent years, the Internet is becoming a vital element of the social infrastructure that rivals the telephone network or the like. Users can receive a great variety of services on the Internet. Services that are offered on the Internet are typically realized by accepting a series of requests from a user, executing processing in accordance with the received requests that have been accepted, and then sending the results of this processing to the user. More specifically, services are widely disseminated by means of WWW (World Wide Web), and these serve as the infrastructure of various services such as electronic commerce.
The various services that are provided on the Internet are realized by systems known as servers that are connected to the Internet. In particular, servers that are open to the public on the Internet accept requests from users of the general public and are therefore prone to so-called “cyber-attacks,” i.e., attacks on cyberspace, and this vulnerability poses a serious security problem.
In this type of cyber-attack on a public server, individuals take improper advantage of security holes such as vulnerable points and improper settings that exist in the server to submit malicious requests, activate illegal operations, and bring about malicious operations such as the misappropriation of confidential files. Examples that can be offered of vulnerable points that exist in a server include programming errors that cause faults in the server software, and examples that can be offered of improper settings include setting errors that occur when making security settings that cause faults in the server software.
Ideally, such cyber-attacks can be prevented in advance by eliminating server security holes. However, completely eliminating security holes in software is extremely difficult, and in practical terms, impossible. In addition, since software creators and server operators are not typically the same entity, the possibility cannot be excluded that a server operator will misunderstand the software specifications and thus make settings in the software that will jeopardize security.
As devices for verifying security, security examination devices have been proposed in, for example, Japanese Patent Laid-Open Publication No. 2002-229946 (JP P2002-229946 A) or in the Internet document “Internet Scanner” (http://www.isskk.co.jp/product/internet_Scanner.html) for checking for the existence of vulnerable points in, for example, servers and for determining the security strength of computer systems. Such a security examination device is specifically made up from vulnerability database 510, pseudo-attack unit 520, and response examination unit 530 as shown in FIG. 1.
In the following description, a computer or a computer system that is the object of examination or verification is referred to as an object system.
In the security examination device shown in FIG. 1, pseudo-attack unit 520 extracts from vulnerability database 510 an attack procedure that has been prepared beforehand in accordance with the configuration of the computer system that is the object system for delivering a pseudo-attack upon the object system. Pseudo-attack unit 520 uses the extracted attack procedure to deliver a pseudo-attack upon the object-system. Response examination unit 530 examines the object system that has been attacked, compares the response of the object system with responses that have been defined in advance in accordance with the attack procedure, and checks for the existence of vulnerabilities in the object system. The security examination device shown in FIG. 1 is a device for carrying out pseudo-attacks upon all objects of examination as described above and examining the security of the objects of examination based on the existence or absence of vulnerable points.
The Internet document “System Scanner” (http://www.isskk.co.jp/product/System_Scanner.html) discloses a device for examining the security of the object computer system by comparison with recommended settings that have been prepared in advance. In this device, recommended settings are registered in a database, and security is examined by comparing these recommended settings with the actual settings in the object system.
Finally, Ronald W. Ritchey and Paul Ammann, in the 2000 IEEE Symposium on Security and Privacy (pp. 156–165, March 2000) have proposed a security verification method in which the correlation between a plurality of vulnerabilities is represented by means of a graph to enable examination of cases in which the combination of vulnerabilities poses a greater threat. In this method, a plurality of vulnerabilities is detected in advance, and the correlation between these vulnerabilities then represented in a graph. For example, an object system is assumed to have two vulnerabilities. One is a vulnerability that allows user privileges to be misappropriated through the Internet; and the other is a vulnerability that allows any user to assume an administrators authority. Here, the second vulnerability, which allows “any user to assume an administrator's authority” is not a serious vulnerability because it cannot directly used by an outsider. Thus, in a device that investigates single vulnerabilities, the overall system will usually be determined to be free of problems despite the existence of a second vulnerability. Once the first vulnerability has been used, however, the second vulnerability can be used. In other words, only after these two vulnerabilities have been combined can the existence of a serious vulnerability be determined. To examine such combinations of vulnerabilities, vulnerabilities that can be used once a particular vulnerability has been used are comprehensively linked in a directed graph. The device of Ritchey et al. investigates the combination of a plurality of vulnerabilities in this way.
None of the above-described examples of the prior art takes the content of security settings as the object system, and these examples of the prior art therefore suffer from the problem of the inability to investigate whether the security settings are improper settings. In other words, in each of the above-described examples of the prior art, a pseudo-attack cannot be carried out for examining security settings. More specifically, examples such as the security examination device shown in FIG. 1 or a security verification device in which the correlation of a plurality of vulnerabilities is represented as a graph employ an investigation approach that is referred to as the “pseudo-attack method.” In this type of investigation approach, the examination is realized by preparing attack procedures in advance that are matched to vulnerabilities and then actually delivering an attack. As a result, only vulnerabilities for which an attack procedure can be produced in advance are taken as the inspection items, and security settings for which a pseudo-attack cannot be prepared cannot be examined.
The method in which comparisons are made with recommended settings investigates the existence of setting errors in the security settings, but this method allows only the examination of obvious setting errors in the security settings. In other words, this method can take as inspection items only obvious setting errors that can be examined for individual settings, such as cases in which the password is vacant, and cannot examine the existence of improper settings that are based on composite setting errors that are difficult to determine as a setting error in isolation. On the other hand, most illegal access occurs due to setting errors, and a rigorous verification of the existence of setting errors that may result in problems is therefore preferable.
Each of the above-described examples of the prior art suffers from the problem of the inability to determine whether the combination of a plurality of security settings will result in an improper setting. None of the above-described examples of the prior art is capable of examining the existence of improper settings that result from composite setting errors. More specifically, the security examination device shown in FIG. 1 or the security examination device that is based on comparison with recommended settings takes as examination items only security holes in which a computer system becomes vulnerable due to only a single vulnerability or a single setting, and is incapable of taking as an examination item the combination of a plurality of security settings. These examination devices are therefore incapable of detecting a case in which each individual setting taken by itself cannot be viewed as an error and is thus determined not to constitute a security hole but in which the combination of these security settings results in a security hole of the computer system.
The device of Ritchey et al. investigates the presence of a combination of a plurality of vulnerabilities that may constitute a security hole but does not take as an examination item the setting errors themselves of the security settings.
Each of the above-described devices of the prior art further suffers from the problem of imposing a high burden upon the object system. More specifically, the security examination device shown in FIG. 1 employs an examination approach referred to as the pseudo-attack approach. In this method, an attack that uses a vulnerability is actually delivered, and the object system is therefore subjected to a load that is equivalent to an actual attack, and the object system may in some cases actually fail as a result. Accordingly, the security examination device shown in FIG. 1 may in some case not be applicable due to the state of the object system.
A security examination device therefore preferably allows the examination of the security of a computer or a system that is the object of examination regardless of the state of the computer or the system.